Wow, this is a rant and a half…grab a beer, you’re going to need it…
Jon Robinson pens a lovely summary of the endpoint security software sprawl discussion we’ve been chatting about lately.
My original post on the matter is here.
Specifically, he isolates what might appear to be diametrically-opposed perspectives on the matter; mine and Amrit Williams’ from BigFix.
No good story flows without a schism-inducing polarizing galvanic component, so Jon graciously obliges by proposing to slice the issue in half with the introduction of what amounts to a discussion of open versus proprietary approaches to security interoperability between components.
I’m not sure that this is the right starting point to frame this discussion, and I’m not convinced that Amrit and I are actually at polar ends of the discussion. I think we’re actually both describing the same behavior in the market, and whilst Amrit works for a company that produces endpoint agents, I think he’s discussing the issue at hand in a reasonably objective manner.
We’ll get back to this in a second. First, let’s peel back the skin from the skeleton a little.
Dissecting the Frog
Just like in high school, this is the messy part of science class where people either reveal their darksides as they take deep lung-fulls of formaldehyde vapor and hack the little amphibian victim to bits…or run shrieking from the room.
Jon comments on Amrit’s description of the "birth of the endpoint protection platform" while I care to describe it as the unnatural (but predictable) abortive by-product of industrial economic consolidation. The notion here — emotionally blanketed by the almost-unilateral hatred for anti-virus — is that we’ll see a:
"…convergence of desktop security functionality into a single product that delivers antivirus, antispyware, personal firewall and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive policy-managed solution."
I acknowledge this and agree that it’s happening. I’m not very happy about *how* it’s manifesting itself, however. We’re just ending up with endpoint oligopolies that still fail to provide a truly integrated and holistic security solution, and when a new class of threat or vulnerability arises, we get another agent — or chunky bit grafted onto the Super Agent from some acquisition that clumsily ends up as a product roadmap feature due to market opportunism.
You know, like DLP, NAC, WAF… 😉
One might suggest that if the "platform" as described was an open, standards-based framework that defined how to operate and communicate, acted as a skeleton upon which to hang the muscular offerings of any vendor, and provided a methodology and communications protocol that allowed them all to work together and intercommunicate using a common nervous system, that would be excellent.
We would end up with a much lighter-weight intelligent threat defense mechanism. Adaptive and open, flexible and accommodating. Modular and a cause of little overhead.
But it isn’t, and it won’t be.
Unfortunately, all the "Endpoint Protection Platform" illustrates, as I pointed out previously, is that the same consolidation issues pervasive in the network world are happening now at the endpoint. All those network-based firewalls, IPS’s, AV gateways, IDS’s, etc. are smooshing into UTM platforms (you can call it whatever you want) and what we’re ending up with is the software equivalent of UTM on the endpoint.
SuperAgents or "Endpoint Protection Platforms" represent the desperately selfish grasping by security vendors (large and small) to remain relevant in an ever-shrinking marketspace. Just like most UTM offerings at the network level. Since piling up individual endpoint software hasn’t solved the problem, it must hold true that one is better than many, right?
Each of these vendors producing "Super Agent" frameworks, all have their own standards. Each of them are battling furiously to be "THE" standard, and we’re still not solving the problem.
Man, that stinks
Jon added some color to my point that the failure to interoperate is really an economic issue, not a technical one, by my describing "greed" as the cause. I got a chuckle out of his response:
Hoff goes on to say that he doesn’t think we will ever see this type of interoperability among vendors because of greed. I wouldn’t blame greed though, unless by greed he means an unwillingness to collaborate because they believe their value lies in their micro-monopoly patents and their ability to lock customers in their solution. (Little do they know, that they are making themselves less valuable by doing so.) No, there isn’t any interoperability because customers aren’t demanding it.
Some might suggest that my logic is flawed and the market demonstrates it with an example like where GE booted out Symantec in favor of 350,000 seats of Sophos:
Seeking to improve manageability and reduce costs which arise from managing multiple solutions, GE will introduce Network Access Control (NAC) as well as antivirus and client firewall protection which forms part of the Sophos Security and Control solution.
Sophos CEO, Steve Munford, said companies want a single integrated agent that handles all aspects of endpoint security on each PC.
"Other vendors offer security suites that are little more than a bunch of separate applications bundled together, all vying for resources on the user’s computer," he said.
"Enterprises tell us that the tide has turned, and the place for NAC and integrated security is at the endpoint."
While I philosophically don’t agree with the CEO’s comment relating the need for a Super Agent, the last line is the most important "…the place for…integrated security is at the endpoint." They didn’t say Super Agent, they said "integrated." If we had integration and interoperability, the customer wouldn’t care about how many "components" it would take so long as it was cost-effective and easily managed. That’s the rub because we don’t.
So I get the point here. Super Agents are our only logical choice, right? No!
I suggest that while we make progress toward secure OS’s and applications, instead of moving from tons of agents to a Super Agent, the more intelligent approach would be a graceful introduction of an interoperable framework of open-standards based protocols that allow these components to work together as the "natural" consolidation effect takes its course and markets become features. Don’t go from one extreme to the other.
I have yet to find anyone that actually believes that deploying a monolithic magnum malware mediator that maintains a modality of mediocrity masking a monoculture is a good idea.
…unless, of course, all you care about is taking the cost out of operationalizing security and not actually reducing risk. For some reason, these are being positioned by people as mutually-exclusive. The same argument holds true in the network space; in some regards we’re settling for "good enough" instead of pushing to fix the problem and not the symptoms.
If people would vote with the wallets (which *is* what the Jericho Forum does, Rich) we wouldn’t waste our time yapping about this, we’d be busy solving issues relevant to the business, not the sales quotas of security company sales reps. I guess that’s what GE did, but they had a choice. As the biggest IT consumer on the planet (so I’ve been told,) they could have driven their vendors together instead of apart.
People are loathe to think that progress can be made in this regard. That’s a shame, because it can, and it has. It may not be as public as you think, but there are people really working hard behind the scenes to make the operating systems, applications and protocols more secure.
As Jon points out, and many others like Ranum have said thousands of times before, we wouldn’t need half of these individual agents — or even Super Agents — if the operating systems and software were secure in the first place.
Run, Forrest, Run!
This is where people roll their eyes and suggest that I’m copping out because I’m describing a problem that’s not going to be fixed anytime soon. This is where they stop reading. This is where they just keep plodding along on the Hamster Wheel of Pain and add that line item for either more endpoint agents or a roll-up to a Super Agent.
I suggest that those of you who subscribe to this theory are wrong (and probably have huge calves from all that running.) The first evidence of this is already showing up on shelves. It’s not perfect, but it’s a start.
Take Vista, as an example. Love it or hate it, it *is* a more secure operating system and it features a slew of functionality that is causing dread and panic in the security industry — especially from folks like Symantec, hence the antitrust suits in the EU. If the OS becomes secure, how will we sell our Super Agents. ANTI-TRUST!
Let me reiterate that while we make progress toward secure OS’s and applications, instead of going from tons of agents to a Super Agent, the more intelligent approach is a graceful introduction of an interoperable framework of open-standards based protocols that allow these components to work together as the "natural" consolidation effect takes its course and markets become features. Don’t go from one extreme to the other.
Jon sums it up with the following describing solving the interoperability problem:
In short, let the market play out, rather than relying on and hoping for central planning. If customers demand it, it will emerge. There is no reason why there can’t be multiple standards competing for market share (look at all the different web syndication standards for example). Essentially, a standard would be collaboration between vendors to make their stuff play well together so they can win business. They create frameworks and APIs to make that happen more easily in the future so they can win business easier. If customers like it, it becomes a “standard”.
At any rate, I’m sitting in the Starbucks around the corner from tonight’s BeanSec! event. We’re going to solve world hunger tonight — I wonder if a Super Agent will do that one day, too?